meta/recipes-devtools/qemu/qemu/0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

CVE: CVE-2022-1050
Upstream-Status: Submitted [https://lore.kernel.org/qemu-devel/20220403095234.2210-1-yuval.shaia.ml@gmail.com/]
Signed-off-by: Ross Burton <ross.burton@arm.com>

From dbdef95c272e8f3ec037c3db4197c66002e30995 Mon Sep 17 00:00:00 2001
From: Yuval Shaia <yuval.shaia.ml@gmail.com>
Date: Sun, 3 Apr 2022 12:52:34 +0300
Subject: [PATCH] hw/pvrdma: Protect against buggy or malicious guest driver

Guest driver might execute HW commands when shared buffers are not yet
allocated.
This could happen on purpose (malicious guest) or because of some other
guest/host address mapping error.
We need to protect againts such case.

Fixes: CVE-2022-1050

Reported-by: Raven <wxhusst@gmail.com>
Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
---
 hw/rdma/vmw/pvrdma_cmd.c | 6 ++++++
 1 file changed, 6 insertions(+)

Index: qemu-8.0.0/hw/rdma/vmw/pvrdma_cmd.c
===================================================================
--- qemu-8.0.0.orig/hw/rdma/vmw/pvrdma_cmd.c
+++ qemu-8.0.0/hw/rdma/vmw/pvrdma_cmd.c
@@ -782,6 +782,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev)
             goto out;
     }
 
+    if (!dsr_info->dsr) {
+            /* Buggy or malicious guest driver */
+            rdma_error_report("Exec command without dsr, req or rsp buffers");
+            goto out;
+    }
+
     if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) /
                       sizeof(struct cmd_handler)) {
         rdma_error_report("Unsupported command");